8.4.4.1.4 Access Permissions to Regions
Access permissions must be programmed separately for Secure access and Non-secure access.
Each region contains the following configuration registers:
- Region Attributes register (TZC_nnn_REGION_ATTRIBUTESy)
- Region ID Access register (TZC_nnn_REGION_ID_ACCESSy)
where y refers to the Region index (0..8).
The table below shows the region settings defined for Secure read and Secure write enables and relates this to the outcome that a Secure access can achieve.
| Region Parameters | Resulting Permissions that Grant Access | ||
|---|---|---|---|
| TZC_nnn_REGION_ATTRIBUTESy.S_WR_EN | TZC_nnn_REGION_ATTRIBUTESy.S_RD_EN | Secure Write | Secure Read |
| 0 | 0 | No | No |
| 0 | 1 | No | Yes |
| 1 | 0 | Yes | No |
| 1 | 1 | Yes | Yes |
If a region requires Secure access, this must be explicitly programmed, regardless of the settings for Non-secure reads and Non-secure writes. For example, when permissions are set so that a Non-secure read or Non-secure write access is permitted, it does not mean that the corresponding Secure read or Secure write access is also automatically granted.
The following figure illustrates how Non-secure enables affect access permissions for Non-secure accesses. The left-hand part of the flow diagram shows a Non-secure write access to the filter unit x. The right-hand part shows a Non-secure read access to the filter unit x.
Use the following replaceable terms when reading the figure below:
- y is the region in which the access resides
- x is the filter unit number
- ADDR is the address of the transaction
For each type of access, the filter unit checks whether the Non-secure access address resides in any region between 1 and 8 that is enabled for that filter. If the filter finds a match, then it uses that region. Otherwise, the filter selects the default Region 0. The filter uses the bits TZC_nnn_REGION_ID_ACCESSy.NS_RD_EN and TZC_nnn_REGION_ID_ACCESSy.NS_WR_EN for the selected region. If the value is 1, then the filter grants Non-secure access. If the value is 0, then the filter denies the Non-secure access.
When the filter unit detects that an access falls into an overlapping address area that two enabled regions define, it sets the overlap status bit in the Interrupt Status register (TZC_nnn_INT_STATUS). The only exception to this is if the overlap only occurs with Region 0. In this case the filter unit does not change the overlap status bit in register TZC_nnn_INT_STATUS. See TCZ_SYS_INT_STATUS and TZC_CPU_INT_STATUS.